[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] messages in logfiles

Subject: [cobalt-security] messages in logfiles
From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
Date: Fri, 31 Aug 2001 18:31:59 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Folks

Following mucho repetition of the same old questions in recent months,
here's a quick overview of some of the frequent messages you might see in
various logfiles. I submitted it to Cobalt to see if they'll include it in
the knowledgebase, but here it is anyway. This way it'll get in the mailing
list archives and give everyone another message to not find ;-)

Graeme

======

"Help! What does this message mean in my logfiles? Have I been hacked or is
it broken? Help!"

These questions pop up time and time again on mailing lists, in support
fora, and over the phone from a lot of Cobalt users. Here's a (reasonably)
simple explanation of what some of the most common ones really mean:

------------------------
1. "Who on Earth is 127.0.0.1?"

In /var/log/messages:
Aug 25 04:30:03 raq telnetd[6144]: ttloop: read: Broken pipe
Aug 25 04:45:01 raq proftpd[6722]: raq.domain (localhost[127.0.0.1]) - FTP
session closed.
Aug 25 04:45:04 raq telnetd[6735]: ttloop: read: Broken pipe
Aug 25 05:00:00 raq proftpd[7311]: raq.domain (localhost[127.0.0.1]) - FTP
session closed.

...and in /var/log/maillog:
Aug 31 04:15:01 raq imapd[4310]: imap service init from 127.0.0.1
Aug 31 04:15:01 raq imapd[4310]: Logout user=??? host=localhost [127.0.0.1]
Aug 31 04:15:02 raq sendmail[4312]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA

So, why *does* someone keep trying to connect to my server on all these
services? Who is this 127.0.0.1 guy, anyway?

ANSWER: 127.0.0.1 is the 'loopback' address, or put more simply - 127.0.0.1
is the server's *internal* address. These two log entries are made by the
'swatch' or Active Monitor service, asking your various services if they're
still working. They're perfectly normal messages to find in your logs.

The swatch service *can* be disabled if you really need to, although if
you're using the GUI a lot to manage your server this is not recommended.
------------------------

2. "What's all this nonsense about lame servers?"

Again, in /var/log/messages:
Aug 27 04:02:28 raq named[5694]: Lame server on '3.2.1.in-addr.arpa' (in
'3.2.1.in-addr.arpa'?): [1.2.3.4].53 'name.server.net'
Aug 30 13:39:08 raq named[5694]: Lame server on 'lamedomain.org.uk' (in
'lamedomain.org.uk'?): [6.7.8.9].53 'name.server.net'

These messages are informational ones from your DNS system (named is the
server program itself).

What it means is that although these domains (3.2.1.in-addr.arpa, and
lamedomain.org.uk) have been correctly delegated by the people responsible
for them, they have not been setup correctly on the target nameserver.

The reverse zone for the /24 network "1.2.3.0-255" is delegated by the
fictional parent to "name.server.net", yet "name.server.net" isn't
configured to answer requests for that zone - or it is not authoritative for
the zone.
Likewise lamedomain.org.uk is delegated to "name.server.net" yet for some
reason it isn't responding at all, or at the least not authoritatively, for
the zone.

These errors happen frequently. Unless you happen to know the administrators
for the domains in question, there's nothing you can do. If you run a busy
server you'll find your logs cluttered with these, but they can safely be
ignored - *unless* they happen to be for one of your domains!

Again, these messages can be disabled although this means editing your
nameserver configuration file by hand and is not recommended unless you
really know what you're doing.

Lame server messages do NOT mean your machine has been cracked/hacked!
------------------------

3. "Whoa, what's all this USAGE stuff mean? Is someone attacking me?"

A common query is that no-one understands what:

Aug 31 13:09:54 raq named[5694]: Cleaned cache of 10 RRsets
Aug 31 13:09:54 raq named[5694]: USAGE 999259794 996774872 CPU=13.44u/4.51s
					   CHILDCPU=0.04u/0.02s
Aug 31 13:09:54 raq named[5694]: NSTATS 999259794 996774872 A=6435 PTR=1524
					   MX=6579 TXT=13 AAAA=206 38=4
AXFR=3 ANY=11787
Aug 31 13:09:54 raq named[5694]: XSTATS 999259794 996774872 RR=7029
RNXD=2053
					   RFwdR=4318 RDupR=3 RFail=8
RFErr=0 RErr=5
					   RAXFR=3 RLame=63 ROpts=0
SSysQ=3898 SAns=27993
					   SFwdQ=1921 SDupQ=372 SErr=0
RQ=26635 RIQ=9
					   RFwdQ=1921 RDupQ=7 RTCP=3
SFwdR=4318 SFail=0
					   SFErr=0 SNaAns=18126 SNXD=1980
RUQ=0 RURQ=0
					   RUXFR=0 RUUpd=0

...really means. No, your machine is not being attacked - it's the DNS
server, named, spitting its' statistics out at the default interval (60
minutes).
If you grab a copy of either the BIND source code, or a good DNS
administrators' guide, you can probably work out what this all means. For
people running serious DNS servers these stats are very useful since they
can show just what sort of load the servers are under.

For most RaQ owners, this can pretty much be ignored. Again, it can be
turned but... yes, you guessed it, that's not recommended.
------------------------

==============================================

Prev by Date: RE: [cobalt-security] Lame Server messages
Next by Date: RE: [cobalt-security] Lame Server messages
Previous by thread: Re: [cobalt-security] FTP/Probing Scan Question
Next by thread: [cobalt-security] Lame Server Messages & Webalizer 2.01

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index